Friday, September 14, 2018

I recently had the pleasure of bumping into some of my Canadian friends at a Law Enforcement conference. So when I saw someone mention a "National Bank of Canada" phish, I thought I would pull on the string a bit and see if it was actually an "Interac" phish. Interac is a system for easily sending money between different Canadian banks. The phishers love it, because by imitating Interac, they can steal login information from any Canadian, regardless of where they bank.

By walking up to a higher directory, sure enough, the National Bank of Canada phish was just a tiny part of an underlying Interac phish hosted at 178.128.125[.]127, a Digital Ocean box in Kalívia, Attiki, Greece.

178.128.125[.]127/deposit

We can tell by the timestamp of the directory that this is a fresh phish - created earlier this morning:

On each of the banks, clicking on their logo would take the visitor to a phishing site for that brand. (Curiously, HSBC did not work for this author - it took us to the real HSBC website via a Google search?)

ATB Phish

Desjardins Phish

Laurentian Bank (LBC) Phish

Manulife Bank Phish

RBC Royal Bank Phish

Quite a few of the Phish seemed to be formatted for browsing on a Smart phone:

BMO Mobile Phish

CIBC Mobile Phish

Meridian Bank Phish

Scotiabank Mobile Phish

Simplii Financial Phish

Tangerine Phish

TD Bank Phish

On most of the phishing pages after entering a Userid and Password, the phish would indicate that the deposit was no longer available by displaying an Interac Error page:

An Interac Error page displays briefly, then forwards to the real bank

This means that the banks may be able to detect this phishing victims by looking for "referring URLs" coming from pages named "error.html", for example, in this case:

hXXp://178.128.125[.]127/deposit/banks/Laurentian/error.html

A few of the brands, such as National Bank of Canada, did ask for additional information:

National Bank of Canada Phish Validation page

After "Validating" the phish forwarded to the real site, nbc.ca, which means they also might wish to check for "referring URLs" containing "Validation" in the path, such as this one:

hXXp://178.128.125[.]127/deposit/banks/National/Validation/

The CIBC Mobile Phish also had some additional questions for their potential victim:

CIBC Mobile Phish Validation page

So, my Canadian friends, if you get an unanticipated request to deposit funds to your account via Interac, you might want to delay accepting that deposit!